What Is Spyware? How to Detect & Remove It in 2026

Spyware is software installed on a device without informed consent that quietly collects information — keystrokes, passwords, browser history, location, microphone audio, or camera frames — and sends it to a third party. It is one of the oldest categories of malware, predating modern ransomware by more than a decade, and it has only become more capable as smartphones have replaced PCs as the primary target. Microsoft's Digital Defense Report 2024 noted a year-over-year increase in commercial spyware activity, and Kaspersky's 2024 stalkerware report identified roughly 31,000 unique mobile users targeted by stalkerware in 2024 — a number widely considered to be a small fraction of the true total.

Last updated: April 25, 2026 — Reviewed by Sarah Lin (GCTI)

Quick Answer / TL;DR

• Spyware = covert software that monitors and exfiltrates user data.
• Six common categories: keyloggers, infostealers, adware-spyware, mobile stalkerware, tracking cookies, and commercial mercenary spyware (e.g., Pegasus).
• Top entry vectors in 2026: side-loaded mobile apps, phishing, bundled "free" PC software, and physical access to the device.
• Key symptoms: battery drain, camera/mic indicator without an app in use, new browser extensions, unusual data usage.
• Removal: full antivirus scan in safe mode + permission audit + password reset from a clean device. Factory reset for confirmed mobile cases.

Spyware vs. Other Malware

The defining behavior of spyware is observation, not destruction. A ransomware operator wants to be noticed at a specific moment so payment is demanded. A spyware operator wants the opposite: to remain invisible for as long as possible. This is why spyware tends to be lighter on system resources than other malware and why detection usually relies on behavior analytics rather than dramatic indicators.

Spyware overlaps with other categories. A banking trojan that includes a keylogger is performing spyware functions during one phase of its operation. An info-stealer trojan is, by behavior, a single-shot spyware payload. The distinction is that spyware emphasizes persistence and ongoing surveillance, while a one-shot info-stealer often runs once and exits to avoid detection.

The 6 Main Types of Spyware

Spyware Type	Primary Goal	Typical Target	Common Delivery
Keylogger	Capture every keystroke	PCs, banking sites	Trojan dropper, malicious browser extension
Infostealer	Bulk-grab cookies, passwords, wallets	Workstations	Cracked software, fake AI tools
Adware-Spyware	Track browsing for ad targeting	Consumer PCs	Bundled "free" software
Mobile Stalkerware	Surveil a specific person	Android (mostly)	Manual install with physical access
Tracking Cookies	Build cross-site behavioral profiles	All browsers	Web ads, analytics tags
Commercial Mercenary Spyware	High-value surveillance (gov/enterprise)	Specific individuals	Zero-click exploits, spear-phishing

Keyloggers

A keylogger records keystrokes — and often more, including clipboard content, mouse clicks, and screenshots at intervals. Software keyloggers run as a process or kernel driver. Hardware keyloggers are tiny devices physically inserted between keyboard and computer; less common in 2026 but still appear in physical-access threat models. Keyloggers remain the most direct path to capturing online banking credentials.

Infostealers

Infostealers — RedLine, Vidar, Raccoon, Lumma, and newer variants — are the fastest-growing spyware category in 2025–2026. A single execution can scrape browser passwords, session cookies, autofill data, and cryptocurrency wallet files. Infostealer logs are now the most common precursor to corporate breaches per Mandiant's June 2024 advisory on the Snowflake-customer attack wave.

Adware-Spyware

Adware crosses into spyware when its data collection goes beyond what the user understood. The historical archetype is browser-toolbar software bundled with "free" downloads. Modern adware-spyware shows up as aggressive browser extensions and as mobile SDKs embedded in free utility apps. Google Play and Apple's App Store have removed thousands of such apps, often years after collection began.

Mobile Stalkerware

Stalkerware is spyware marketed for monitoring a partner, child, or employee. It typically requires brief physical access to install. Once running, it can log SMS, call history, GPS location, microphone audio, and camera images. The Coalition Against Stalkerware was founded in 2019 by Avast, Kaspersky, Malwarebytes, NortonLifeLock, and others to standardize detection.

Tracking Cookies

Tracking cookies are not malware in the strict sense, but they perform a spyware-like function: third-party JavaScript and pixel tags follow users across sites to build behavioral profiles. Browsers have begun deprecating third-party cookies (Safari since 2020, Firefox by default, Chrome on an evolving timeline). The replacement — fingerprinting and CNAME cloaking — has accelerated.

Commercial Mercenary Spyware

Pegasus, developed by NSO Group and described in major investigative reporting starting in 2016 (most prominently in the 2021 Pegasus Project), is the best-known example. Mercenary spyware is sold to government clients, costs millions per deployment, and uses zero-click exploits requiring no user interaction. Apple's Lockdown Mode, introduced in iOS 16 (2022), was created largely in response.

Real-World Spyware Examples

• FinFisher / FinSpy. Sold to government clients since at least 2011. Citizen Lab researchers have documented use against journalists and dissidents. Gamma Group declared insolvency in 2022.
• Pegasus (NSO Group). Publicly described starting in 2016; the Pegasus Project (July 2021) cataloged 50,000+ phone numbers reportedly selected as potential targets. Apple has issued threat notifications to affected users since 2021.
• CoolWebSearch (mid-2000s). Historic adware-spyware family that hijacked browser settings, often cited as the case that pushed AV vendors to add anti-spyware modules.
• HiddenAds (2020 onward). Android adware-spyware apps repeatedly removed from Google Play; Avast reported 47 such apps reaching tens of millions of installs before takedown.
• mSpy (data exposure 2024). Consumer-marketed monitoring app whose support database leaked, exposing customer and victim records — a recurring pattern across stalkerware vendors.

How Spyware Gets on Your Device

1. Side-loaded mobile apps. APKs from unofficial stores; iOS configuration profiles or enterprise-signed apps the user is tricked into trusting.
2. Phishing emails and SMS (smishing). Links to credential-harvesting pages, macro-laced attachments, or fake "delivery notification" pages.
3. Bundled "free" software. Free PDF tools, video downloaders, and cracked games — classic delivery vehicles for adware-spyware.
4. Browser extensions. Legitimate-looking extensions are sometimes sold to new owners who quietly add tracking. Audit the publisher.
5. Physical access. Stalkerware requires a few minutes with the unlocked device — invisible to network security tools.

How to Detect Spyware: Signs and Tools

Symptoms to Watch For

• Battery drain. Persistent unexplained drain, even with no foreground apps active.
• Mic / camera indicator activity. Modern OS indicators (green/orange dots on iOS and Android, the camera light on macOS) light up when those sensors are in use. Activity without an app in use is a red flag.
• Heat at idle. Constant background processing produces heat.
• Mobile data spikes. Stalkerware regularly uploads logs; check OS-level data-usage reports.
• Unfamiliar accessibility services or device admin apps. On Android, Settings → Accessibility and Settings → Security → Device admin apps reveal apps with extreme permissions.
• New configuration profiles on iOS (Settings → General → VPN & Device Management).
• Browser changes. Default search engine swapped, new toolbars, autofill entries you did not create.
• Antivirus disabled or excluded folders added that you did not configure.

Detection Tools

A scan with an antivirus that has scored well on AV-TEST or AV-Comparatives in recent months is the most accessible diagnostic. Independent labs test both the Protection axis (does it catch spyware?) and the Usability axis (does it produce false positives that cause users to ignore alerts?). Top-rated solutions in the AV-TEST December 2025 Home Windows test scored 6.0/6.0 on Protection across the major paid suites.

For confirmed or suspected stalkerware on Android, multiple vendors expose a dedicated stalkerware category in their UI and integrate with the Coalition Against Stalkerware's shared signature feed. On iOS, the official path is Apple's threat notifications and Lockdown Mode rather than third-party AV — Apple's restrictions on iOS make traditional file-scanning antivirus largely ineffective.

How to Remove Spyware: Step-by-Step

On Windows or macOS

1. Disconnect from the network to halt exfiltration.
2. Boot into safe mode. This prevents user-mode spyware from loading.
3. Run a full scan with a top-tier antivirus. Quarantine, review, then delete.
4. Run a second-opinion scanner with a different engine.
5. Audit browser extensions and remove anything unfamiliar. Reset browsers that store autofill data after extension removal.
6. Check installed programs (Windows Settings → Apps; macOS Applications) and uninstall anything you do not recognize.
7. Reset all passwords from a clean device and enable multi-factor authentication.
8. Apply OS and application updates. Many spyware infections persist by reusing the same patched vulnerability.

On Android

1. Reboot into safe mode (long-press power, then long-press the "Power off" option on most devices).
2. Uninstall apps with Accessibility or Device Admin permissions that you do not recognize.
3. Run a reputable mobile antivirus and review the stalkerware-specific category if present.
4. Reset network settings and clear browser data.
5. Change passwords from a different device.
6. If symptoms persist, perform a factory reset and restore only essential apps from Google Play.

On iPhone

1. Update to the latest iOS. This patches known exploit chains.
2. Remove unknown configuration profiles (Settings → General → VPN & Device Management).
3. Review Settings → Privacy & Security for unfamiliar permission grants.
4. Reset network settings if you suspect a malicious VPN profile.
5. For confirmed compromise, perform a factory reset and restore from a backup made before the suspected compromise window. Do not restore the most recent backup if it might contain the infection.
6. Enable Lockdown Mode if you face an elevated threat profile (journalist, activist, executive).

How to Prevent Spyware

• Install software only from official stores and verify the publisher.
• Audit app permissions regularly. Revoke microphone, camera, and location access for apps that do not need them.
• Keep OS and browser auto-updating.
• Use a reputable antivirus with recent independent lab certifications.
• Use a password manager and unique passwords so a single info-stealer log does not unlock everything.
• Enable multi-factor authentication on email, banking, social, and cloud accounts.
• For stalkerware threat models specifically, the Coalition Against Stalkerware and the Safety Net Project provide victim-focused guidance.

FAQs

What is spyware in simple terms?

Spyware is software that runs on your device without clear consent and quietly collects information about you — keystrokes, passwords, browsing, location, microphone audio, or camera frames — and sends that data to a third party. It can arrive as a standalone trojan, as a bundled installer, or in some cases as commercial "monitoring" software marketed as legitimate.

How can I tell if I have spyware?

Common signs include unexplained battery drain, the camera or microphone indicator turning on when no app is in use, browser settings changing on their own, new toolbars or extensions, unusual data usage on mobile, and devices running hot when idle. A scan with an AV-TEST top-rated antivirus is the most reliable way to confirm.

Is stalkerware the same as spyware?

Stalkerware is a subset of spyware. The technical behavior is identical — covert monitoring and exfiltration — but stalkerware is specifically marketed for surveilling a partner, child, or employee. The Coalition Against Stalkerware, founded in 2019 by major antivirus vendors and victim-advocacy groups, treats stalkerware as a distinct detection category.

How do I remove spyware from my phone?

On Android, reboot into safe mode, uninstall any unfamiliar apps with admin or accessibility permissions, then run a reputable mobile antivirus and review the list of apps with sensitive permissions. On iPhone, the most reliable removal is to update iOS to the latest version, remove unknown configuration profiles, and reset network settings. A factory reset is the strongest option in confirmed cases.

Can spyware survive a factory reset?

In almost all consumer cases, no. A genuine factory reset wipes the user partition where spyware lives. The rare exceptions are firmware-level implants — historically associated with nation-state operations such as the FinFisher and Pegasus toolkits — which are extraordinarily uncommon on the typical consumer device. After a reset, restore from a clean backup, not the most recent one, and re-install apps from official stores only.

Is spyware illegal?

Installing spyware on a device you do not own or have explicit consent to monitor is illegal in most jurisdictions. In the United States, it can violate the Computer Fraud and Abuse Act and several state wiretapping statutes. The U.S. Federal Trade Commission has banned multiple stalkerware vendors from operating, including Retina-X in 2019 and SpyFone in 2021.

The Bottom Line

Spyware is the malware category most defined by patience. It earns nothing by being noticed; it earns everything by remaining quiet. That is also why a healthy spyware defense looks boring: keep the OS and browser current, install only from official stores, run a top-tier antivirus on every device, audit app permissions every few months, and use a password manager with multi-factor authentication. None of that requires expensive specialty software, and none of it is unique to any one product brand. For a wider view of how spyware fits into the rest of the threat landscape, our 12 types of malware guide and trojan virus explainer cover the surrounding categories. When you are ready to compare specific antivirus products on independent lab data — not affiliate ranking deals — our best antivirus rankings consolidate AV-TEST, AV-Comparatives, and SE Labs results in one place.